Malware Analysis Report

2024-09-22 07:03

Sample ID 240602-nkrtzacd32
Target Infected12.exe
SHA256 779604d4424cfd906b2dcaef852dca573900ebf7a8555c70f539a661e22f9d60
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

779604d4424cfd906b2dcaef852dca573900ebf7a8555c70f539a661e22f9d60

Threat Level: Known bad

The file Infected12.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Async RAT payload

Asyncrat family

AsyncRat

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-02 11:27

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 11:27

Reported

2024-06-02 11:28

Platform

win10-20240404-en

Max time kernel

12s

Max time network

14s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Infected12.exe"

Signatures

AsyncRat

rat asyncrat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Infected12.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Infected12.exe

"C:\Users\Admin\AppData\Local\Temp\Infected12.exe"

Network

Country Destination Domain Proto
DE 193.161.193.99:44548 tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
DE 193.161.193.99:44548 tcp
DE 193.161.193.99:44548 tcp

Files

memory/3988-0-0x0000000000CA0000-0x0000000000CB6000-memory.dmp

memory/3988-1-0x00007FFC29E13000-0x00007FFC29E14000-memory.dmp

memory/3988-2-0x00007FFC29E10000-0x00007FFC2A7FC000-memory.dmp

memory/3988-3-0x00007FFC29E10000-0x00007FFC2A7FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 11:27

Reported

2024-06-02 11:28

Platform

win7-20240508-en

Max time kernel

18s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Infected12.exe"

Signatures

AsyncRat

rat asyncrat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Infected12.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Infected12.exe

"C:\Users\Admin\AppData\Local\Temp\Infected12.exe"

Network

Country Destination Domain Proto
DE 193.161.193.99:44548 tcp
DE 193.161.193.99:44548 tcp
DE 193.161.193.99:44548 tcp
DE 193.161.193.99:44548 tcp

Files

memory/2140-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

memory/2140-1-0x0000000000280000-0x0000000000296000-memory.dmp

memory/2140-2-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

memory/2140-3-0x000007FEF5830000-0x000007FEF621C000-memory.dmp